[Freeipa-users] Cert auto-renew probem.
Lager, Nathan T.
lagern at lafayette.edu
Mon Mar 3 13:50:54 UTC 2014
Today i found that i was unable to authenticate to FreeIPA.
I logged into my IPA master, and found that the cert had expired. Which has never been a problem in the past.
I did some googling, and found a few others with similar problems. but none quite matched the issue i'm seeing.
The issue is this:
[root at caroline0 PROD ~]# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20120203213023':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU//pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-SYSTEMS-LAFAYETTE-EDU',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
expires: 2014-02-03 21:30:22 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20120203213048':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
stuck: yes
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
expires: 2014-02-03 21:30:47 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20120203213112':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates).
stuck: yes
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=SYSTEMS.LAFAYETTE.EDU
subject: CN=caroline0.lafayette.edu,O=SYSTEMS.LAFAYETTE.EDU
expires: 2014-02-03 21:31:11 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Now, if i understand FreeIPA, the CA is FreeIPA itself, isnt it? If so, how could it be unreachable?
What else might I be able to try to get past this?
Thanks!
More information about the Freeipa-users
mailing list